CAPIG XSS (Meta Conversions API Gateway) postMessage origin ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://ysamm.com/uncategorized/2025/01/13/capig-xss.html
• Blog Title: CAPIG XSS (Meta Conversions API Gateway): postMessage origin trust to script loading + stored JS injection in capig-events.js
• Suggested Section: Pentesting Web -> PostMessage Vulnerabilities (origin validation -> script loading) and/or Pentesting Web -> XSS (Supply-chain/shared script stored XSS via backend-generated JS); also relevant as a case study for CSP Bypass patterns (CSP allowlist abuse via compromised allowed third-party origin)

🎯 Content Summary

Scope / what was analyzed

The post analyzes two vulnerabilities affecting Meta’s Conversions API Gateway (CAPIG), focusing on Meta’s hosted gateway instance gw.conversionsapigateway.com and its shared JavaScript asset:

https://gw.conversionsapigateway.com/sdk/<pixel_id>/capig-events.js

This script is auto-loaded by Meta’s fbq client module (not manually embedded) and therefore executes on multiple high-privilege origins, including:

• www.meta.com
• business.facebook.com
• developers.facebook....

🔧 Technical Details

Trick 1 — postMessage origin-to-script-src pivot: If a page listens for postMessage (e.g., msg_type == IWL_BOOTSTRAP) and stores event.origin without validating it, then later uses that stored origin to build a script URL (e.g., /sdk/<pixel_id>/iwl.js), an attacker can turn message-origin control into JavaScript execution. Exploitability depends on reaching the message handler and on the embedding page’s CSP allowing scripts from the attacker-controlled origin.

Trick 2 — bypassing opener-gated logic under COOP using WebView window.name reuse: When exploitation requires window.opener but the target uses Cross-Origin-Opener-Policy: same-origin-allow-popups, the post describes regaining an opener condition in Android WebView by reusing window.name with window.open(target, name). In that scenario, the window may become its own opener, so the required cross-window message may need to be sent from an attacker-controlled iframe inside the page.

Trick 3 — CSP-assisted script loading ...

🤖 Agent Actions

Updated postmessage-vulnerabilities/README.md with a new CAPIG case study detailing how unvalidated postMessage origins were pivoted into script loads, CSP allowlist abuse, WebView opener bypass, iframe-delivered payloads, and the backend string-concatenation bug that turned shared analytics JS into a supply-chain stored XSS. Added actionable defenses and referenced the source blog.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://ysamm.com/uncategorized/2025/01/13/capig-xss.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> PostMessage Vulnerabilities (origin validation -> script loading) and/or Pentesting Web -> XSS (Supply-chain/shared script stored XSS via backend-generated JS); also relevant as a case study for CSP Bypass patterns (CSP allowlist abuse via compromised allowed third-party origin)".

Repository Maintenance:

• MD Files Formatting: 938 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge